[APOLLO-2103] Fix SSRF

[kezhenxu94]

fix SSRF, resolve #2103

[codecov-io]

Codecov Report

Merging #2105 into master will decrease coverage by 0.1%.
The diff coverage is 0%.

@@             Coverage Diff              @@
##             master    #2105      +/-   ##
============================================
- Coverage     50.05%   49.95%   -0.11%     
  Complexity     1981     1981              
============================================
  Files           401      401              
  Lines         12384    12403      +19     
  Branches       1268     1276       +8     
============================================
- Hits           6199     6196       -3     
- Misses         5742     5763      +21     
- Partials        443      444       +1

Impacted Files	Coverage Δ	Complexity Δ
...apollo/portal/controller/SystemInfoController.java	13.46% <0%> (-7.76%)	3 <0> (ø)
...mework/apollo/portal/component/PortalSettings.java	65.07% <0%> (-4.77%)	5% <0%> (ø)

---

Continue to review full report at Codecov.

Legend - Click here to learn more
Δ = absolute <relative> (impact), ø = not affected, ? = missing data
Powered by Codecov. Last update f50dc4e...97ffde8. Read the comment docs.

[coveralls]

Coverage decreased (-0.1%) to 53.535% when pulling 97ffde8 on kezhenxu94:master into f50dc4e on ctripcorp:master.

[nobodyiam]

LGTM

[liutao5121]

/health 未授权访问漏洞 解决了吗？如果已解决，哪个版本中解决了？@[nobodyiam]

[nobodyiam]

@liutao5121

What do you mean by /health 未授权访问漏洞 解决了吗？?
I believe /health doesn't expose any sensitive information, and it could be used by external platforms like Kubernetes readiness probe.
But if you really want to close this endpoint, you may simply configure it via the standard spring boot way.
Currently, apollo exposes info,health,metrics,prometheus by default

[liutao5121]

I tried to resolve the unauthorized access vulnerability (/health) by turning off the health endpoint of the AdminService module, which caused no configuration information to be seen on the Apollo-Portal interface

[liutao5121]

[liutao5121]

If the adminService module configuration "management. Endpoints. Web. Exposure. Exclude = health", the upper right corner of the portal page complains, don't see any configuration information .....The picture above is my test results

[nobodyiam]

Right...I forgot the portal will ping admin-service's health endpoint to check whether it's healthy.

apollo/apollo-portal/src/main/java/com/ctrip/framework/apollo/portal/api/AdminServiceAPI.java

Lines 42 to 44 in d15331b

	public Health health(Env env) {
	return restTemplate.get(env, "/health", Health.class);
	}